Why These Microsoft Defender Vulnerabilities Matter Right Now
Two newly disclosed Microsoft Defender vulnerabilities are under active exploitation, making them an urgent Windows security concern. The first, a Microsoft Defender vulnerability tracked as CVE-2026-41091, is a privilege escalation flaw rated 7.8 on the CVSS scale. The second, CVE-2026-45498, is a denial-of-service issue with a CVSS score of 4.0. Both impact the Microsoft Defender Antimalware Platform that ships with supported Windows systems. What makes these bugs particularly serious is that attackers are already exploiting them in real-world attacks. The U.S. Cybersecurity and Infrastructure Security Agency has placed both issues in its Known Exploited Vulnerabilities catalog and set an aggressive remediation deadline for federal agencies, underscoring the risk to production environments. Microsoft has released fixed Defender platform versions and states that updates are delivered automatically, but you should still verify that your endpoints are actually protected.
CVE-2026-41091: SYSTEM Privilege Escalation via Improper Link Handling
CVE-2026-41091 is the more severe of the two flaws because it enables SYSTEM privilege escalation. Microsoft describes it as an "improper link resolution before file access" problem in Microsoft Defender, sometimes referred to as a link-following issue. In practice, an attacker who already has some level of access to a machine could exploit this Microsoft Defender vulnerability to execute actions with full SYSTEM rights. Once an attacker reaches SYSTEM privileges, they can effectively take complete control of the affected host: installing or removing software, disabling security controls, exfiltrating data, or using the machine as a beachhead for lateral movement. While details of the CVE-2026-41091 exploit technique have not been publicly disclosed, its active exploitation status means adversaries have workable methods today, increasing the pressure on organizations to apply the corresponding Windows security patch levels and Defender updates quickly.
CVE-2026-45498: Defender Denial-of-Service and Operational Disruption
CVE-2026-45498 is a denial-of-service vulnerability affecting Microsoft Defender. With a CVSS score of 4.0, it is less critical on paper than a SYSTEM privilege escalation, but it still poses real risk in production environments. Successful exploitation can disrupt the Defender antimalware service, potentially leaving systems temporarily unprotected or degrading performance on critical hosts. Because Defender is deeply integrated into modern Windows environments, a denial-of-service exploit could be used as a precursor to additional attacks. For example, an adversary might first trigger CVE-2026-45498 to interfere with detection, then attempt other techniques while defenses are impaired. Microsoft has patched this bug in Microsoft Defender Antimalware Platform version 4.18.26040.7. As with CVE-2026-41091, Microsoft notes that systems that have Microsoft Defender disabled are not susceptible, but for most organizations Defender remains an essential security control that must be kept fully operational.
Patch Status: Fixed Versions and Automatic Update Behavior
Microsoft has released fixes for both actively exploited Defender vulnerabilities through updated antimalware platform builds. CVE-2026-41091 and CVE-2026-45498 are addressed in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7, respectively. These updates are delivered through the standard Defender update mechanism, which also distributes new malware definitions and engine enhancements. According to Microsoft, no manual action is required on systems where Microsoft Defender is enabled and allowed to update normally; the platform and engine should update automatically to the secure versions. However, automatic updates can fail or be delayed in some environments due to connectivity, policy restrictions, or third-party management tools. Given that both vulnerabilities are present in the Known Exploited Vulnerabilities catalog, security teams should not assume coverage. Instead, they must verify that endpoints are actually running the patched platform builds as part of their regular Windows security patch validation process.
How to Verify and Update Microsoft Defender Immediately
To ensure you are protected against the CVE-2026-41091 exploit and the CVE-2026-45498 denial-of-service bug, you should manually confirm that Microsoft Defender is up to date. On affected systems, open the Windows Security application, then select "Virus & threat protection" in the navigation pane. Under the "Virus & threat protection" section, click "Protection updates" and choose "Check for updates" to trigger the latest engine and definition downloads. Next, in the Windows Security navigation pane, select "Settings" and then "About". Review the Antimalware Client Version and confirm it matches or exceeds the patched platform builds identified by Microsoft. If versions lag behind, investigate group policy, network, or management tool settings that might be blocking updates. Prioritizing these checks across your fleet will significantly reduce the chance that attackers can use these actively exploited Defender flaws to escalate to SYSTEM or disrupt your defenses.